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Metrics audiences 



External 
stakeholders 




Owners - for reassurance 

Regulators & authorities - for 
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/ ^ Senior management, 



Security 

metrics 

audience 



C-suite, Board 

Middle/junior 
management 



For strategic purposes, 
governance & assurance 

For information security 
management & process 
improvement 




Operations 



For operational reasons e.g. to 
configure & manage security controls 



Peers 



For benchmarking comparison 
& sharing good practices 




1/06/2012 



Predictive 



Relevant 




Goals & outcomes 




-> time and uncertainty 



Figure adapted from Hauser and Katz Metrics: You Are What You Measure 
www.mit.edu/-hauser/Papers/Hauser-Katz Measure 04-98.pdf 
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Half a dozen dials ... 

"Every CSO should have half a 

dozen dials to watch on a regular 

basis. These indicators could be 

'survival metrics/ the hot buttons 

on a dashboard you are expected to 

address that monitor the wellness 

of your organization or an issue of 

particular concern to management." 

George K. Campbell 
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5 about what the five or seven keywords mean, or even what they are in any given situation Typically accepted values are: 

Minor Terms 



Significant, Stretching, Simple 



Meaningful, Motivational, Manageable 



Appropriate, Achievable, Agreed, Assignable, Actionable, Ambitious, Aligned, Aspirational, Acceptable, Action-focused 



Results-oriented Rsslistb K^sourced, Resonant 



Time-oriented. Time framed, Timed, Time-based, Timeboxed, Time-bound, Time-Specific. Timetabled, Time limited, Trackable, Tangible 



Evaluate Ethical, Excitable, Enjoyable Engaging Ecological 



Reevaluate Rewarded. Reassess. Revisit, Recordable, Rewarding, Reaching 



Table from 
ttributed to Paul J . Meyer 




PRAGMATIC 

Predictive - forward-looking 
Relevant - to the business and infosec 
ctionable - controllable, do-able 
enuine - can't be faked or falsified 
Meaningful - to the audience 
Accurate - enough to be useful 
Timely - here and now 
Independent- hence verifiable 
Cheap - always a 1 s! 
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Electronic Mail System 

From : I nf orm at i on Se cu rity M a n ag e r@ Acm e E nt I n c. com 
To: C h iefE xe cut iveQfficer@ Acme Engl nc.com 
Subject: Information security budget 

Dear Fred, 

Thank you for the opportunity to explain the basis for the information security budget. As I'm sure you 
know t we have been quietly developing an information security measurement system comprising a suite of 
security metrics addressing the very issues you raise, so I hope the following information is exactly what 
you need. 

1. Return on investment: the original business case for the Information Security Management Systenn_ 
laid out the projected costs and benefits in order to justify both the initial investment and the ongoing 
operations. We have been diligently tracking actuals against the plan for the eighteen months since we 
got the green light for the ISMS. I am delighted to report that although the proj'ect consumed all its 
contingency, the returns have thus far exceeded our expectations (exhibit 1): 



Cumulative net value of the ISMS 




Exhibit 1: Net value of the Information Security Management System 
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If, as you imply, the information security risks are not at the appropriate level in the list, we would have 
to work with the lAOs to find ways to reduce the security protecting their assets and accept higher 
risks. For our own part, we have identified a few areas in which we believe we may be able to improve 
our efficiency and cost effectiveness and realize substantial savings over 5 years (exhibit 3-): 



Improve security 
metrics, $10,000. 




Exhibit 3: Estimated security savings over 5 years 



As you will see from the data above, we are consciously taking a pragmatic, focused approach to the 
security metrics we use operationally and for security management, plus those of a more strategic nature 
that are reported to senior management. 

Please let me know if you would like to discuss the meaning and/or the way we present the metrics aswe 
would like to incorporate this kind of information fnto our regular management reports, and we don't want 
to waste your time with irrelevancies. Given the chance, I would love to help you prepare and perhaps 
deliver a briefing to the Board demonstrating how much we are achieving for the business through our| 
professional, good practice approach to information security. 

Regards, 

John D, 

Information Security Manager 
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